Presentation is loading. Please wait.

Presentation is loading. Please wait.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Published byAmi Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human."— Presentation transcript:

1 Text passwords Hazim Almuhimedi

2 Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human Selection of Mnemonic Phrase- based Passwords

3 Authentication Mechanisms Something you have ◦ cards Something you know ◦ Passwords  Cheapest way.  Most popular. Something you are ◦ Biometric  fingerprint

4 Password is a continuous problem Password is a series real-world problem. ◦ SANS Top-20 2007 Security Risks ◦ Every year, password’s problems in the list:  Weak or non-existent passwords  Users who don’t protect their passwords  OS or applications create accounts with weak/no passwords  Poor hashing algorithms.  Access to hash files Source: Jeffery Eppinger, Web application Development.

5 How good are the passwords people are choosing? It is hard question to answer. ◦ Data is scarce. MySpace Phishing attack

6 Poor, Weak Password Poor, weak passwords have the following characteristics: ◦ The password contains less than 15 characters. ◦ The password is a word found in a dictionary (English or foreign) ◦ The password is a common usage word. Source: Password Policy. SANS 2006

7 Strong Password Strong passwords have the following characteristics: ◦ Contain both upper and lower case characters ◦ Have digits and punctuation characters ◦ Are at least 15 alphanumeric characters long and is a passphrase. ◦ Are not a word in any language, slang, dialect, jargon. ◦ Are not based on personal information. ◦ Passwords should never be written down or stored on-line. Source: Password Policy. SANS 2006

8 Strong Password ?

9 At least 8 characters. Contain both upper and lower case characters. Have digits and punctuation characters

10 MySpace Phishing Attack ◦ A fake MySpace login page. ◦ Send the data to various web servers and get it later. ◦ 100,000 fell for the attack before it was shut down. ◦ This analysis for 34,000 users.

11 Password length Average: 8 characters.

12 Password length There is a 32-character password  "1ancheste23nite41ancheste23nite4“ Other long passwords:  "fool2thinkfool2thinkol2think“  "dokitty17darling7g7darling7"

13 Character Mix

14 Common Passwords Top 20 passwords in order. password1abc123myspace1password Blink182qwerty1fuckyou123abc baseball1football1123456soccer monkey1liverpool1princess1jordan23 slipknot1superman1iloveyou1monkey

15 Common Passwords Top 20 passwords in order. password1abc123myspace1password Blink182qwerty1fuckyou123abc baseball1football1123456soccer monkey1liverpool1princess1jordan23 slipknot1superman1iloveyou1monkey

16 Common Password “Blink 182” is a band. ◦ A lot of people use the band's name  Easy to remember.  it has numbers in its name, and therefore it seems like a good password.

17 Common Password "qwerty1" refers to ◦ QWERTY is the most common keyboard layout on English-language computer.

18 Common Password The band “Slipknot” doesn't have any numbers in its name ◦ which explains the “1”.

19 Common Password The password "jordan23" refers to ◦ basketball player Michael Jordan ◦ and his number 23.

20 Common Password I don't know what the deal is with “monkey”.

21 Common Password

22 Passwords getting better Who said the users haven’t learned anything about security?

23 Human Issues Social Engineering. Difficulties with reliable password Entry. Difficulties with remembering the password. Human is often the weakest link in the security chain.

24 Human Issues Social Engineering. ◦ Attacker will extract the password directly from the user. ◦ Attacks of this kind are very likely to work unless an organization has a well-thought-out policies. ◦ In his 2002 book, The Art of Deception, Mitnick states that he compromised computers solely by using passwords and codes that he gained by social engineering.  Motorola case  http://www.youtube.com/watch?v=J4yH2GPiE7o (3:09) http://www.youtube.com/watch?v=J4yH2GPiE7o Kevin Mitnick: It's much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in. http://www.youtube.com/watch?v=8_VYWefmy3 4http://www.youtube.com/watch?v=8_VYWefmy3 4 (2:00) Source: Wikipedia. Social engineering

25 Human Issues Social Engineering. 336 CS students at University of Sydney  Some were suspicious:  30 returned a plausible-looking but invalid password  over 200 changed their passwords without official prompting.  Very few of them reported the email to authority.

26 Human Issues Social Engineering. ◦ How to solve this problem?  Strong and well-known policy.

27 Human Issues Difficulties with reliable password Entry. ◦ if a password is too long or complex, the user might have difficulty entering it correctly. ◦ South Africa Case  20-digit number for the pre-paid electricity meters.  Any suggested solution? ◦ If the operation they are trying to perform is urgent  This might have safety or other implications.

28 Human Issues Difficulties with remembering the password. ◦ The greatest source of complaints about passwords is that most people find them hard to remember. ◦ When users are expected to memorize passwords  They either choose values that are easy for attackers to guess.  Write them down.  Or both.

29 The Memorability and Security of Passwords Many of the problems of password authentication systems arise from the limitations of human memory.

30 The Memorability and Security of Passwords Some passwords are very easy to remember ◦ But very easy to guess  Dictionary attack. some passwords are very secure against guessing ◦ Difficult to remember. ◦ might be compromised as a result of human limitations.  The user may keep an insecure written record.

31 The Memorability and Security of Passwords An experiment involving 400 first-year students at the University of Cambridge. Testing how strong the mnemonic-based password is. Testing how it is easy to remember. ◦ In contrast with control and random password.

32 The Memorability and Security of Passwords Methods: ◦ 4 types of attacks:  Simple Dictionary attack.  Dictionary attack with permutation  User information attack  Brute force attack. ◦ Survey.

33 The Memorability and Security of Passwords Conclusion : ◦ Users have difficulty remembering random passwords. ◦ Passwords based on mnemonic phrases are harder for an attacker to guess than naively selected passwords are.

34 The Memorability and Security of Passwords Conclusion: ◦ It isn’t true that : random passwords are better than those based on mnemonic phrases.  each type appeared to be as strong as the other. ◦ It is not true that : passwords based on mnemonic phrases are harder to remember than naively selected passwords are.  each appeared to be reasonably easy to remember, with only about 2%-3% of users forgetting passwords.

35 Human Selection of Mnemonic Phrase-based Passwords Hypothesis ◦ Users will select mnemonic phrases that are commonly available on the Internet ◦ It is possible to build a dictionary to crack mnemonic phrase-based passwords.

36 Human Selection of Mnemonic Phrase-based Passwords Survey ◦ A survey to gather user-generated passwords  Mnemonic password(144)  Control password(146)

37 Human Selection of Mnemonic Phrase-based Passwords Attacks: ◦ Dictionary attack  Generate a mnemonic password dictionary.  400,000-entries  John the Ripper  For control password  1.2 million entries ◦ Dictionary attack with Permutation.  Word mangling  replacing “a” with “@” ◦ Brute force attack.

38 Human Selection of Mnemonic Phrase-based Passwords Results: ◦ Password Strength: ControlMnemonic Strength Score15.717.2 Number of Character classes2.92.7 Length9.99.5

39 Human Selection of Mnemonic Phrase-based Passwords Results: ◦ Password Cracking Results: ◦ The user generated mnemonic passwords were more resistant to brute force attacks than control passwords. ControlMnemonic Password compromised by Basic Dictionary 6%3% Basic Dictionary with Permutation5%1% Brute Force Attack8%4%

40 Human Selection of Mnemonic Phrase-based Passwords Results: ◦ Password based on external sources:  Majority of mnemonic password are based on external sources.  13% control password sources are based on external sources

41 Human Selection of Mnemonic Phrase-based Passwords Results: ◦ Password based on external sources:

42 Human Selection of Mnemonic Phrase-based Passwords Conclusion: ◦ The majority of users select phrases from music lyrics, movies, literature, or television shows. ◦ This opens the possibility that a dictionary could be built for mnemonic passwords.  If a comprehensive dictionary is built, it could be extremely effective against mnemonic passwords. ◦ Mnemonic-phrase based passwords offer a user-friendly alternative for encouraging users to create good passwords.

43 Human Selection of Mnemonic Phrase-based Passwords Conclusion: ◦ Mnemonic phrase-based passwords are not as strong as people may believe. ◦ The space of possible phrases is large  Building a comprehensive dictionary is not a trivial task. ◦ System designers and administrators should specifically recommend to users that they avoid generating mnemonic passwords from common phrases.

44 Thank You

Download ppt "Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond.

Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Www.durham.ac.uk/cmp Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.

Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant

13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Internet Safety By: Brianna Brown. Index What Is Internet Safety? Passwords Cyber Bullying Safety Tips Quiz.

Internet Safety By: Brianna Brown. Index What Is Internet Safety? Passwords Cyber Bullying Safety Tips Quiz.
Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.

Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Password Management PA Turnpike Commission

Password Management PA Turnpike Commission

Similar presentations

Ads by Google